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Commissioner for Patents, P.O. Box 1450, Alexandria, VA 22313- 
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/has*- 

/f Joan Deasy . 



APPEAL BRIEF PURSUANT TO 37 C.F.R. SS 41.31 AND 41.37 

This Appeal Brief is being filed in furtherance to the Notice of Appeal mailed on 
July 12, 2007, and received by the Patent Office on July 16, 2007. 

1 REAL PARTY IN INTEREST 

The real party in interest is Hewlett-Packard Development Company, L.P., the 
Assignee of the above-referenced application by virtue of the Assignment to Hewlett- 
Packard Development Company, LP. recorded at reel 016865, frame 0035, and dated 
August 3, 2005. Accordingly, Hewlett-Packard Development Company, L.P. will be 
directly affected by the Board's decision in the pending appeal. 
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2 RELATED APPEALS AND INTERFERENCES 

Appellants are unaware of any other appeals or interferences related to this 
Appeal. The undersigned is Appellants' legal representative in this Appeal. 

3 STATUS OF CLAIMS 

Claims 56 and 58-64 are currently pending. Claims 56, 58, 59 and 61-64 are 
currently under final rejection. Claim 60 is currently objected to. Thus, claims 56 and 
58-64 are the subject of this Appeal. Claims 1-55 and 57 are canceled. 

4 STATUS OF AMENDMENTS 

There are no outstanding amendments to be considered by the Board. 

5 SUMMARY OF CLAIMED SUBJECT MATTER 

With regard to the aspects of the invention set forth in independent claim 56, 
discussions of the recited features of claim 56 can be found at least in the below cited 
locations of the specification and drawings. By way of example, claim 56 is directed to a 
method for providing multi-class processing of login requests. The method comprises 
associating a login cookie class (310) with a login cookie (300). See, e.g., Application, 
page 5, line 4 - page 6, line 2; page 7, lines 5-16; page 19, lines 4-11; page 22, lines 17- 
23; page 23, lines 5-7; page 23, lines 13-20; Figs. 2-4, 9 and 10A-10D. The method also 
comprises providing a level of service to login attempts associated with the login cookie 
based on the login cookie class of the login cookie. See, e.g., Application, page 7, line 5 

- page 9, line 16; page 10, line 28 - page 12, line 7; page 14, lines 13-15; page 16, line 17 

- page 17, line 8; page 21, lines 5-28; Figs. 10A-10D. Further, the method comprises 
requiring a longer time delay for a second-class login cookie than for a first-class login 
cookie between an invalid login attempt and allowing a subsequent login attempt. See, 
e.g., Application, page 7, line 5 - page 9, line 6; page 10, line 28 - page 12, line 7; page 
14, lines 13-15; Figs. 10A-10D. 
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With regard to the aspect of the invention set forth in independent claim 62 
discussions of the recited features of claim 62 can be found at least in the below cited 
locations of the specification and drawings. By way of example, claim 62 is directed a 
computer program product for use in conjunction with a computer system (100). The 
computer program product comprises a computer readable storage medium (112) and a 
computer program mechanism embedded therein. The computer program mechanism 
comprises instructions for associating a login cookie class (310) with a login cookie 
(300). See, e.g., Application, page 5, line 4 - page 6, line 2; page 7, lines 5-16; page 19, 
lines 4-11; page 22, lines 17-23; page 23, lines 5-7; page 23, lines 13-20; Figs. 2-4, 9 and 
10A-10D. The computer program further comprises instructions for providing a level of 
service to login attempts associated with the login cookie based on the login cookie class 
of the login cookie. See, e.g., Application, page 7, line 5 - page 9, line 16; page 10, line 
28 - page 12, line 7; page 14, lines 13-15; page 16, line 17 - page 17, line 8; page 21, 
lines 5-28; Figs. 10A-10D. Additionally, the computer program comprises instructions 
requiring a longer time delay for a second-class login cookie than for a first-class login 
cookie between an invalid login attempt and allowing a subsequent login attempt. See, 
e.g., Application, page 7, line 5 - page 9, line 6; page 10, line 28 - page 12, line 7; page 
14, lines 13-15; Figs. 10A-10D. 

With regard to the aspect of the invention set forth in independent claim 63, 
discussions of the recited features of claim 63 can be found at least in the below cited 
locations of the specification and drawings. By way of example, claim 63 is directed to a 
method for providing multi-class processing of login requests to resist unauthorized 
access attempts. The method comprises providing a client (104) with a first-class login 
token (300) when the client successfully logs into an account, wherein the first-class 
login token entitles the client to one or more unsuccessful login attempts without 
requiring a delay between the unsuccessful login attempts. See, e.g., page 7, lines 5-16; 
page 8, lines 20-28; page 17, line 10 - page 24, line 19; Figs. 3A, 9, 10A-10D. The 
method also comprises requiring a delay between attempts to log into the account if a 



Serial No. 10/072,840 
Appeal Brief 
Page 4 



second-class login token or an expired first-class login token is utilized by the client. 
See, e.g., Application, page 7, line 5 - page 9, line 6; page 10, line 28 - page 12, line 7; 
page 14, lines 13-15; page 17, line 10 - page 24, line 19; Figs. 10A-10D. Further, the 
method comprises rejecting login attempts by the client when the client does not utilize 
any class of login token. See, e.g., Application, page 7, lines 24-27; page 17, line 10 - 
page 24, line 19; Figs. 10A-10-D. 

6 GROUNDS OF REJECTION TO BE REVIEWED ON APPEAL 
The Ground of Rejection for Review on Appeal : 

The Appellants respectfully urge the Board to review and reverse the Examiner's 
only ground of rejection in which the Examiner rejected claims 56, 58, 59 and 61-64 
under 35 U.S.C. § 102(a) as being anticipated by Bhatti et al. (U.S. Patent No. 6,304,906 
Bl) (hereinafter referred to as "the Bhatti reference"). 

7 ARGUMENT 

As discussed in detail below, the Examiner has improperly rejected the pending 
claims. Further, the Examiner has misapplied long-standing and binding legal precedents 
and principles in rejecting the claims under 35 U.S.C. § 102. Accordingly, the 
Appellants respectfully request full and favorable consideration by the Board, as the 
Appellants strongly believe that claims 56, 58, 59 and 61-64 are currently in condition for 
allowance. 

A. Ground of Rejection ; 

The Examiner rejected claims 56, 58, 59 and 61-64 U.S.C. § 102(a) as being 
unpatentable over the Bhatti reference. The Appellants respectfully traverse this 
rejection. 
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1. Judicial precedent has clearly established a legal standard for a prima 
facie anticipation rejection. 

Anticipation under 35 U.S.C. § 102 can be found only if a single reference shows 
exactly what is claimed. Titanium Metals Corp. v. Banner, 227 U.S.P.Q. 773 (Fed. Cir. 
1985). Thus, for a prior art reference to anticipate under Section 102, every element of 
the claimed invention must be identically shown in a single reference. In re Bond, 15 
U.S.P.Q.2d 1566 (Fed. Cir. 1990). Moreover, the prior art reference also must show the 
identical invention "/« as complete detail as contained in the ... claim" to support a 
prima facie case of anticipation. Richardson v. Suzuki Motor Co., 9 U.S.P.Q. 2d 1913, 
1920 (Fed. Cir. 1989) (emphasis added). Accordingly, the Appellants need only point to 
a single element not found in the cited reference to demonstrate that the cited reference 
fails to anticipate the claimed subject matter. 

Further, regarding a theory of inherency, the extrinsic evidence must make clear 
that the missing descriptive matter is necessarily present in the thing described in the 
reference, and that it would be so recognized by persons of ordinary skill. In re 
Robertson, 169 F.3d 743, 49 U.S.P.Q.2d 1949 (Fed. Cir. 1999) (Emphasis Added). The 
mere fact that a certain thing may result from a given set of circumstances is not 
sufficient. Id In relying upon the theory of inherency, the Examiner must provide a 
basis in fact and/or technical reasoning to reasonably support the determination that the 
allegedly inherent characteristic necessarily flows from the teachings of the applied prior 
art. Ex parte Levy, 17 U.S.P.Q.2d 1461, 1464 (Bd. Pat. App. & Inter. 1990) (emphasis in 
original). The Examiner, in presenting the inherency argument, bears the evidentiary 
burden and must adequately satisfy this burden. See id. 

2. The Bhatti Reference Fails to Anticipate the Pending Claims. 

Specifically, with regard to the rejection of claims 56, 62 and 63 in view of the 

Bhatti reference, the Examiner stated: 
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Bhatti et al disclose a method for providing multi-class 
processing of login requests comprising: 

associating a login cookie class with a login cookie; 
and (column 8, lines 9-15) 

providing a level of service to login attempts 
associated with the login cookie based on the login cookie 
class of the login cookie (column 6, lines 13-39) 

requiring a longer time delay for a second-class login 
cookie tan for a first-class login cookie between an invalid 
login attempt and allowing a subsequent login attempt, 
(column 6, lines 13-39; column 8, line 46 - column 9, line 
34; see Response to Arguments for detailed explanation). 

Furthermore, with regards to claim 63, Bhatti et al 
disclose rejecting login attempts by the client when the client 
does not utilize any class of login token, (column 3, lines 24- 
27 & 35-41). 

Final Office Action, page 4. 



Turning to the claims, claims 56 and 62 each recite, inter alia, " requiring a longer 
time delay for a second-class login cookie than for a first-class login cookie between an 
invalid login attempt and allowing a subsequent login attempt." (Emphasis added). The 
Appellants assert that, among other things, the Bhatti reference does not appear to teach 
these features of claims 56 and 62. Indeed, it appears that the Bhatti reference merely 
teaches that "class-based services provide tiered performances to match tiered pricing" 
and that "[e]ach tier or class may have targets or expectations of performance." Bhatti et 
al., col. 6, lines 33-35. The Examiner asserted that "[t]his clearly indicates that lower 
tiers would experience lower performance " Final Office Action, page 2. However, the 
Appellants do not see any direct correlation between experiencing "lower performance" 
at a lower tier and requiring longer delays for second-class login cookies. Accordingly, 
the Appellants assert that the Examiner's citation to the Bhatti reference does not 
inherently teach that a longer delay is required for a second-class login cookie than for a 
first-class login cookie. 
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Embodiments of the present invention are directed to reducing the effectiveness 

of certain methods of attacking an account (e.g., dictionary attacks). Accordingly, 

present embodiments are directed to " requiring " additional time between login attempts 

for clients with second-class login tokens. See Application, paragraph [0006]. This 

facilitates resistance or prevention of certain account attacks, such as dictionary attacks. 

The Appellants can find no teaching of this in the Bhatti reference. Further, the 

Appellants can find no support for what appears to be an inherency argument by the 

Examiner. Indeed, the portion of the Bhatti reference cited by the Examiner is 

reproduced below to emphasize this deficiency. 

Each of the access request classification systems 
52-52j? is used for one of the content sites 108-108w. For 
example, the access request classification system 52 is for 
the content site 108 and the access request classification 
system 52n is for the content site IQSn. The access request 
classification systems 52-52a? are connected to their 
corresponding content sites 108-108« via the server 
application 53. Each access request classification system is 
used to classify the access requests for its corresponding 
content site such that preferential treatments may be 
provided for some of the access requests accessing that 
content site. This allows the server 50 to provide class- 
based services to its users. The class-based services server 
50 allows multiple classes of users to share the same 
content site (i.e., the same URL address) and yet receive 
different treatments or performance. Class-based services 
is a mechanism for differentiating services given to 
individual classes. Thus, service performance can be 
priced based on performance or service agreements. A 
higher class with greater guarantee can be priced higher 
than a lower class that may offer less guarantee and m ore 
"best effort" services. Class-based services provide tiered 
performances to match tiered pricing. Each tier or class 
may have targets or expectations for performance. Each of 
the access request classification systems 52-52^ performs 
substantially the same function. The structure of each of 
the access request classification systems 52-52w is shown 
in FIG. 4, which will be described in more detail below. 



Col. 6, lines 13-39 of Bhatti et al. 



Serial No. 10/072,840 
Appeal Brief 
Page 8 

The Examiner also cited to column 8, line 46 to column 9, line 34 of the Bhatti 
reference as teaching " requiring a longer time delay for a second-class login cookie than 
for a first-class login cookie between an invalid login attempt and allowing a subsequent 
login attempt/' as recited in claims 56 and 62. Specifically, the Examiner asserted that in 
this portion of the Bhatti reference "it is mentioned that in priority scheduling, the first- 
class queue is processed before the second-class queue." Final Office Action, page 2. 
However, the Appellants stress that the priority scheduling scheme of the Bhatti reference 
is not equivalent to the recited login attempt. Indeed, a processing request and/or a queue 
is not equivalent to a login cookie. Accordingly, the Bhatti reference fails to teach the 
recited feature of claims 56 and 62. 

Regarding dependent claim 59, the Examiner stated that in the Bhatti reference 
"login attempts to a computer system inherently occur serially, rather than in parallel." 
Final Office Action, page 5 (emphasis added). The Appellants respectfully traverse this 
assertion. First, it should be noted that the present claim is not limited to a single 
computer system. A login account may be accessed via multiple computer systems. For 
example, multiple clients may attempt to access a single account from multiple locations. 
Further, embodiments of the present invention are directed to preventing attacks against 
an account in parallel . As set forth above, embodiments of the present invention are 
directed to preventing unauthorized access to accounts. Some embodiments of the 
present invention " serialize login attempts made without a first-class login cookie 300 to 
control the rate at which such login attempts are processed" to prevent the "launch [of] 
many attacks against an account in parallel ." Application, paragraph [0030] (emphasis 
added). 

The Examiner agreed with the Appellants' assertion that the present claim is not 
limited to a single computer system. See Final Office Action, page 3. Further, the 
Examiner apparently agreed with the Appellants' assertion that logins are processed in a 
serial manner in accordance with some embodiments of the present invention. Id. 
However, the Examiner asserted that "applicants' own claim 56 precludes the need to 
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serialize the login attempts, because the login cookies (which are already defined as first- 
or second-class) are stored on the computer system from which the login is attempted." 
Final Office Action, page 3. To clarify this assertion, the Examiner further stated that "a 
'parallel' login would not occur, because each location would have its own cookie of 
first- or second-class." Id. The Appellants assert that these statements by the Examiner 
are irrelevant and confusing. First of all, the Examiner's statement appears to be 
incorrect. For example, a login cookie stored on a computer system may not be 
considered to have a class designation until it is assigned such a designation upon 
attempting to access a computer system. Further, the Examiner's statements that claim 
56 "precludes the need to serialize the login attempts" and that "a 'parallel' login would 
not occur" are irrelevant and apparently based on a flawed understanding. The 
Appellants emphasize that claim 59 recites that the method comprises "serializing login 
attempts made without a login cookie designated as first-class," and the Examiner still 
has not provided support for the assertion that the Bhatti reference discloses this feature. 

The Appellants assert that the Examiner has not provided sufficient support for 
the inherency arguments made in the Examiner's rejection of the subject matter set forth 
in claims 56 and 59. While the Appellants believe this is moot in view of the arguments 
set forth above, the Appellants remind that Board that the Examiner should have provided 
a basis in fact and/or technical reasoning to reasonably support the determination that the 
allegedly inherent characteristic necessarily flows from the teachings of the applied prior 
art. 

Turning to claim 63, the Appellants assert that the Examiner did not address the 
recitations of claim 63 in any detail. Rather, it appears that the Examiner merely rejected 
claim 63 for the same reasons the Examiner set forth with respect to claims 56 and 62. 
The Appellants stress that "[a] plurality of claims should never be grouped together in a 
common rejection, unless that rejection is equally applicable to all claims in the group " 
M.P.E.P. § 707.07(d). Further, the Appellants assert that the Examiner improperly 
expressed the rejection by inappropriately grouping the claims together and has 
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completely failed to address all of the features of independent claim 63. For example, 
claim 63 recites, inter alia, "providing a client with a first-class login token when the 
client successfully logs into an account, wherein the first-class login token entitles the 
client to one or more unsuccessful login attempts without requiring a delay between the 
unsuccessful login attempts." This feature was not addressed by the Examiner. 
Additionally, in as much as the Examiner's rejection directly applies to claim 63, the 
Appellants assert that claim 63 is allowable for the same reasons set forth above with 
respect to claims 56 and 62. 

Furthermore, the Bhatti reference fails to disclose "rejecting login attempts by the 
client when the client does not utilize any class of login token," as recited in claim 63. 
The Examiner apparently asserted that this feature is disclosed at column 3, lines 24-27 
and 35-41 of the Bhatti reference. However, these portions of the Bhatti reference fail to 
disclose rejecting login attempts, much less rejecting login attempts when a login token is 
not utilized. Rather, the cited portions of Bhatti reference merely appear to relate to 
refusing to classify access requests for reasons such as preventing overload or providing 
better performance. See Bhatti et al., col. 3, lines 24-29. Additionally, the Appellants 
stress that a processing request is not equivalent to a login token. 

For the reasons set forth above, the Appellants respectfully request that the Board 
overturn the rejections under 35 U.S.C. § 102 of independent claims 56, 62 and 63 and 
the claims depending therefrom. 
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Conclusion 

Appellants respectfully submit that all pending claims are in condition for 
allowance. However, if the Examiner or Board wishes to resolve any other issues by way 
of a telephone conference, the Examiner or Board is kindly invited to contact the 
undersigned attorney at the telephone number indicated below. 

Respectfully submitted, 



Date: September 13, 2007 



W. Allen Powell 
Reg. No. 56,743 
FLETCHER YODER 
P.O. Box 692289 
Houston, TX 77269-2289 
(281) 970-4545 
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8 APPENDIX OF CLAIMS ON APPEAL 
Listing of Claims: 

56. A method for providing multi-class processing of login requests comprising: 
associating a login cookie class with a login cookie; 

providing a level of service to login attempts associated with the login cookie 
based on the login cookie class of the login cookie; and 

requiring a longer time delay for a second-class login cookie than for a first-class 
login cookie between an invalid login attempt and allowing a subsequent login attempt. 

58. The method of claim 56 wherein providing a level of service to login attempts 
associated with the login cookie based on the login cookie class of the login cookie 
further comprises: 

invalidating the subsequent login attempt for the second-class login before a user 
name and password are processed responsive to the subsequent login attempt being 
performed before the expiration of the longer time delay. 

59. The method of claim 56 wherein providing a level of service to login attempts 
associated with the login cookie based on the login cookie class of the login 
cookie further comprises: 

serializing login attempts made without a login cookie designated as first-class. 
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60. The method of claim 56 wherein providing a level of service to login attempts 
associated with the login cookie based on the login cookie class of the login cookie 
further comprises: 

responsive to no invalid consecutive login attempts since a previous valid login, 
associating a different class of login cookie with a more preferential level of service with 
the login cookie. 

61. The method of claim 56 wherein providing a level of service to login attempts 
associated with the login cookie based on the login cookie class of the login cookie 
further comprises: 

processing a login attempt associated with a class with a less preferential level of 
service at a slower defined rate than another class with a more preferential level of 
service based on a login state which defines a rate at which a server can process login 
attempts. 

62. A computer program product for use in conjunction with a computer system, the 
computer program product comprising a computer readable storage medium and a 
computer program mechanism embedded therein, the computer program mechanism 
comprising: 

instructions for associating a login cookie class with a login cookie; 
instructions for providing a level of service to login attempts associated with the 
login cookie based on the login cookie class of the login cookie; and 
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instructions requiring a longer time delay for a second-class login cookie than for 
a first-class login cookie between an invalid login attempt and allowing a subsequent 
login attempt. 

63. A method for providing multi-class processing of login requests to resist unauthorized 
access attempts comprising: 

providing a client with a first-class login token when the client successfully logs 
into an account, wherein the first-class login token entitles the client to one or more 
unsuccessful login attempts without requiring a delay between the unsuccessful login 
attempts; 

requiring a delay between attempts to log into the account if a second-class login 
token or an expired first-class login token is utilized by the client; and 

rejecting login attempts by the client when the client does not utilize any class of 
login token. 
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EVIDENCE APPENDIX 



None. 



Serial No. 10/072,840 
Appeal Brief 
Page 16 



RELATED PROCEEDINGS APPENDIX 



None. 



